HIPAA Compliance and Your Dental Practice’s Website

Key Points

• HIPAA fines for dentists are rare and usually involve physical records, not websites.
• Most violations target large healthcare systems mishandling patient data.
• Always get signed patient consent before sharing testimonials or videos.
• Use secure scheduling tools, encrypted contact forms, and SSL certificates.
• Focus on patient privacy but stay realistic — online HIPAA risk is minimal.
• :Delmain builds secure, compliant dental websites to help protect your practice.

How many emails do you get every week from an expert in HIPAA compliance wanting to sell you their services or a new piece of software? Many sales pitches focus on the fear of what might happen or what could happen if you don’t buy the latest HIPAA compliant solution.

At :Delmain, we work with dentists all over the country and understand their fears. What can happen? What’s likely to happen? What should you be doing to protect your practice? So instead of falling prey to the worry of the possibility of HIPAA fines and violations, I started to wonder about what was really happening. Here’s what I found.

Know your history

HIPAA, an act designed to improve patient privacy and reduce healthcare fraud (among other things) went into effect in 1996. However, it wasn’t until nearly 20 years later that a dentist was fined for non-compliance. In 2015, a dentist in Indiana was fined $12,000 for “mishandling [physical patient] records containing sensitive information.”

No dentists were fined for HIPAA violations in 2016 or 2017 — the last years with available data.

Get the facts

Throughout HIPAA’s existence, there have been around 185,000 complaints submitted by patients, healthcare professionals, and other parties. Only 55 of those cases have ended in a fine, totaling a bit over $78 million dollars.

So who’s being fined if not dentists? In 2016 HIPAA-related fines included…

• $5.55 million – Advocate Health Care, the largest HIPAA fine on record
• $3.90 million – The Feinstein Institute for Medical Research
• $2.75 million – University of Mississippi Medical Center
• $2.70 million – Oregon Health & Science University
• $2.20 million – New York-Presbyterian Hospital

These are huge corporations and organizations who made major mistakes handling patient health records and sensitive information.

Be aware of the risk

What about dentists? Yes, dentists are investigated for HIPAA violations and some do face consequences. In addition to the dentist who was fined for mishandling patient records, our research revealed these cases:

• In 2014, a burglar stole a laptop containing patient health records from a dentist office, leading to an investigation but ultimately no fine.
• A dental practice “flagged some of its medical records with a red sticker with the word ‘AIDS’ on the outside cover, and that records were handled so that other patients and staff without need to know could read the sticker.” When made aware of the HIPAA complaint, the dentist took action to safeguard protected health information (PHI).

Keep in mind, there are around 195,000 practicing dentists in the United States and these were the 2 cases we were able to find.

Additionally, our research hasn’t turned up cases where dentists have been investigated specifically because of a complaint directly related to their websites, social media profiles, or other online presences.

Currently, it seems HIPAA fines are focused on big healthcare providers and insurance companies who are careless with digitally stored or paper copies of patient health records or who aren’t taking patient privacy seriously.

Take patient privacy and security seriously

Do your duty as a healthcare provider to safeguard and secure patient health records and protected health information. But also remember that based on the available data, you’re much more likely to have a problem with records and information stored in your own office than you are with anything on your practice’s website.

Be reasonable and realistic

As a dentist, how you can minimize your website’s risk of facing HIPAA compliance issues.

• Before sharing testimonials or patient videos, get a signed release from your patient
• Use online scheduling software like LocalMed or SolutionReach
• When using an online contact form, take reasonable security measures like SSL certificates and secure messaging

Make the decision that’s right for you and your dental practice

As a dentist and practice owner, the buck stops with you. You’re ultimately responsible for HIPAA compliance, whether it’s your front desk person, your website, your digital backups of patient records, your building security, or something you haven’t even thought of yet!

Understand your responsibilities, the risks, and make the best decision you can.